Authoritative SYSVOL restore (DFS-R)

In my previous article “Non-authoritative SYSVOL restore (DFS-R)” I showed you, how to do a non-authoritative restore of SYSVOL based on DFS Replication. Today it is time to do an authoritative SYSVOL restore. If you have bigger mess in your domain or you need to restore SYSVOL from backup and replicate to other Domain Controllers.

This action affects all of your Domain Controllers in the entire domain. In the first case (non-authoritative) you only touch SYSVOL on one DC at the time. The rest of your Domain Controllers are running and sharing SYSVOL for users.

The second case (authoritative) is much more visible for users. All of Domain Controllers do not run and share SYSVOL where Group Policies and logon scripts are located. When you decide to do authoritative SYSVOL restore, you need to inform all administrators to not create/modify Group Policies during that time. All other domain services are running except access to SYSVOL. So, this action should be performed out of office business hours.

How to start authoritative SYSVOL restore? What do you need to do first?

You should identify which Domain Controller is holding PDC Emulator operation master role. As you know, one of its functions is to manage and maintain GPOs. When you create or modify existing GPO, it is done directly on this Domain Controller.

If you need to restore SYSVOL from backup, it should also be done directly on PDC Emulator operation master role holder, from which you will initiate authoritative SYSVOL restore.

So, let’s see, how we can do that.

Log on to PDC Emulator FSMO role holder. If you do not know, which Domain Controller holds this role, run in command-line/elevated command-line on any of your DCs

net dom query fsmo

Finding PDC Emulator role holder

or type in PowerShell (Windows Server 2012/2012R2)

Import-Module ActiveDirectory
Get-ADDomain | Select PDCEmulator

Finding PDC Emulator role holder

and you’ll see which DC is holding this role.

When you are logged on on this Domain Controller, you need to evaluate how many DCs are in your domain. The most simple way to check that is using Microsoft DS tools on a DC. Type in command-line

where DC=domain,DC=local is a distinguished name of your domain and CN=Domain Controller name is DC name of PDC Emulator role holder on which you want to initiate authoritative SYSVOL restore.

Searching SYSVOL subscription node

and select “CN=SYSVOL Subscription” entry by RMB in the right pane, choose “Properties“

Editing SYSVOL subscription entry

This time you need to change two atrributes value

msDFSR-Enabled

msDFSR-Options

Search them on the list and edit

msDFSR-Enabled attribute edition

Change its state from TRUE to FALSE and accept the change

Modification of msDFSR-Enabled attribute

and accept changes to be applied

Accept attributes changes

Now, search the second attribute msDFSR-Options and edit it

msDSFR-Options attribute edition

Change its state from not set to 1 and accept the change

Modification of msDFSR-Options attribute

and accept changes to be applied (do not close window, you will use it later)

Accept attributes changes

REPETITIVE TASK

Now, on each of the rest Domain Controllers you need to change msDFSR-Enabled attribute state from TRUE to FALSE to initiate replication from authoritative Domain Controller with SYSVOL. This not need to be done directly on Domain Controllers, you can use ADSI Editor on the same DC on which you changed previous attributes. But this is important to do for evry remaining DC!

Below you can find all required steps. You need to repeat them on the rest of Domain Controllers

In ADSI Editor on Domain Controller where you changed previous attributes, close “Attribute Editor” window and go back to the console. Expand each DC to set up msDFSR-Enabled attribute

Changing SYSVOL subscription of the rest of Domain Controllers

Search for the attribute

msDFSR-Enabled attribute edition

and edit it, changing TRUE to FALSE

Modification of msDFSR-Enabled attribute

and click OK to accept changes

Modify attribute and accept changes

and stop DFS Replication service on remote DC. Repeat these steps for EVERY remaining Domain Controller.

Thanks! Came to a new job and the DC’s were not communicating for… OVER 600 DAYS. Did a bunch of troubleshooting and finally ended up on DFS event logs and then found your site! This post is 1000 times better than the one on technet.

I can kiss you right now. I been working on this replication problem on and off for months now! I tried using the MS version of these procedures and they leave out way to many steps. They mention things like after this step force replication. Yet they give me no commands or directions so it was very confused. You are my hero, thanks.

i have tried non-authoritative restore but it dosent work. so i will try authoritative restore but the problem FSMO roles because i moved them on new DC which is not get Sysvol replicaiton. whats is ur offer ?

I really appriciated your posts on both authoritative and non-authoritative dfrs restores. Its helped me out a bunch. I wanted to post to mention to other readers that for me I had an issue with deleting the contents of the sysvol directorys during the correct step. it turned out i had group policy management open on one of the domain controllers and it was denying access. just for anyone else that comes across it. make sure its closed.